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Abstract. Network coding provides the advantage of maximizing the usage of network 
resources, and has great application prospects in future network communications. How- 
ever, the properties of network coding also make the pollution attack more serious. In this 
paper, we give an unconditional secure authentication scheme for network coding based on 
a linear code C. Safavi-Naini and Wang 1 1 ] gave an authentication code for multi-receivers 
and multiple messages. We notice that the scheme of Safavi-Naini and Wang is essentially 
constructed with Reed-Solomon codes. And we modify their construction slightly to make 
it serve for authenticating subspace codes over linear network. Also, we generalize the 
construction with linear codes. The generalization to linear codes has the similar advan- 
tages as generalizing Shamir's secret sharing scheme to linear secret sharing sceme based 
on linear codes |2 3. 4. 5 6']. One advantage of this generalization is that for a fixed mes- 
sage space, our scheme allows arbitrarily many receivers to check the integrity of their own 
messages, while the scheme with Reed-Solomon codes has a constraint on the number of 
verifying receivers. Another advantage is that we introduce access structure in the general- 
ized scheme. Massey | 4 ) characterized the access structure of linear secret sharing scheme 
by minimal codewords in the dual code whose first component is 1 . We slightly modify the 
definition of minimal codewords in |4|. Let C be a [V, k] linear code. For any coordinate 
i £ {1, 2, ■ ■ ■ , V), a codeword S in C is called minimal respect to i if the codeword c has 
component 1 at the ;'-th coordinate and there is no other codeword whose i-th component 
is 1 with support strictly contained in that of <?. Then the security of receiver Rj in our 
authentication scheme is characterized by the minimal codewords respect to i in the dual 
code C x . 

Authentication scheme, network coding, subspace codes, linear codes, minimal code- 
words, substitution attack. 



1. Introduction 

1.1. Background. Network coding is a novel technique to achieve the maximum multi- 
cast throughput, which was introduced by Ahlswede et al. [7|. It allows the intermediate 
node to generate output data by mixing its received data. In 2003, Li et al. [8] further 
showed that linear network coding is sufficient to achieve the optimal throughput in multi- 
cast networks. Subsequently, Ho et al. [ 9 1 introduced the concept of random linear network 
coding, and proved that it achieves the maximum throughput of multicast network with 
high probability. Network coding is efficiently applicable to numerous forms of network 
communications, such as Internet TV, wireless networks, content distribution networks and 
P2P networks. Due to these advantages, network coding attracts many researchers and has 
developed very quickly. 
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However, networks using network coding impose security problems that traditional net- 
works do not face. A particularly important problem is the pollution attack. If some nodes 
in the network are malicious and inject corrupted packets into the information flow, then 
the honest intermediate node mix invalid packet with other packets. According to the rule 
of network coding, the corrupted outgoing packets quickly pollute the whole network and 
cause all the messages to be decoded wrongly in the destination. 

Recently several related works are proposed to address the pollution attack, such as ho- 
momorphic hashing, digital signature and message authentication code (MAC). Krohn et 
al. 0DI (see also [11]) used homomorphic hashing function to prevent pollution attacks. 
Yu et al. lfl"2l proposed a homomorphic signature scheme based on discrete logarithm and 
RSA, which however was showed insecurely by Yun et al. Ifl3l . Charles et al. |14| gave 
a signature scheme based on Weil pairing over elliptic curves and provided authentication 
of the data in addition to detecting pollution attacks. Zhao et al. lfT31 designed a signature 
scheme that view all blocks of the file as vectors and make use of the fact that all valid 
vectors transmitted in the network should belong to the subspace spanned by the original 
set of vectors from the file. Boneh et al. fl~6| proposed two signature schemes that can be 
used in conjunction with network coding to prevent malicious modification of messages, 
and they showed that their constructions had a lower signature length compared with re- 
lated prior work. Boneh et al. IfTTl constructed a linearly homomorphic signature scheme 
that authenticates vectors with coordinates in the binary field F2. It is the first such scheme 
based on the hard problem of finding short vectors in integer lattices. Agrawal and Boneh 
|[l"8l designed a homomorphic MAC system that allows checking the integrity of network 
coded data. These works provide computational security (i.e., the attacker's resources are 
limited) in network coding. 

Besides digital signatures and MACs, authentication codes also satisfy the properties 
of authentication. However, authentication code provides unconditional security (i.e., the 
attacker has unlimited computational power). In the multi-receiver authentication model, 
a sender broadcasts an authenticated message such that all the receivers can independently 
verify the authenticity of the message with their own private keys. It requires a security that 
malicious groups of up to a given size of receivers can not successfully impersonate the 
transmitter, or substitute a transmitted message. Desmedt et al. [19| gave an authentica- 
tion scheme of single message for multi-receivers. Safavi-Naini and Wang [ 1 j extended the 
DFY scheme lfl9ll to be an authentication scheme of multiple messages for multi-receivers. 
Note that their construction was not linear over the base field with respect to the message. 
Oggier and Fathi 11201 |2T1 made a little modification of the construction so that the con- 
struction can be used for network coding. Tang [22 1 used homomorphic authentication 
codes to sign a subspace which provide an unconditionally security. 

In this paper, we consider the combination of authentication code and secret sharing into 
multicast network coding. And we use subspace codes to transmit messages. The verifying 
nodes independently verify the authenticity of the message using each own private key, 
which is distributes by the trusted authority. Our method of authentication for subspace 
codes is different from signature through sign a subspace [ IT3] H6l . Also, compared with 
the computational security of |[T5l and fl6l . our construction is an unconditionally secure 
authentication code. And compared with the homomorphic scheme 11221 . our scheme is not 
homomorphic. 

Firstly, we recall the general model of network coding and the definition of subspace 
codes. In the basic multicast model for linear network coding, a source node s generates 
n messages, each consisting of m symbols in the base field ¥ q . Let {x\,X2, ■ . . ,x n ] £ 
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F^ xl represent the set of messages. Based on the messages, the source node s transmits 
a message over each outgoing channel. At a node in the network, the symbols on its 
outgoing channel are F ? -linear combinations of incoming symbols. For a node i, define 
Out(i) = \e e E : e is an outgoing channel of i), and In(i) = {e e E : e is an incoming 
channel of i}. If the channel e of network carries packet y(e), where e e Out(i), and i is 
an internal nodes, then y(e) satisfies y(e) - 'Edein(i)kdey(d)- The |/n(/)| x \Out(i)\ matrix 
Ki — [kde]dein(i),eeOut(i) is called the local encoding kernel at node i. Note that each y(e) 
is a linear combination of the messages sent by the source node, so there exists a vector 
fe e! 



?* XB such that 



y(e) = f e X, where X = 



X2 



The vector f e is called the global encoding vector of channel e. Given the local encod- 
ing kernels for all the channels in network, the global encoding kernels can be calculated 
recursively in any upstream-to-downstream order as follows 

fe = ^ kdefd ■ 
dein(i) 

Write the received vectors at a node t as a column vector 



A, = (y(e) : e 6 In(t)) 1 



y(e 2 ) 



where In(f) = {e\,e2,- 



where 



y(e e (t)) I 

, e e (,)}. Then we have the decoding equation at the node t 
F t -X=A t , 



F t = {f e : e e /«(?))' 



( fe, " 

fe 2 

fe m 



is called the global encoding kernel at the node t. 

The set of all subspaces of an Z-dimensional vector space forms a projective space 
fqil). The set of all n-dimensional subspaces of an Z-dimensional vector space is called 
a Grassmannian manifold @ q (l,n). A subspace code [23 1 C C f q {l) is a collection of 
subspaces in P q (l) (for details about subspace codes, one can see [23]). Moreover, if 
C c Q q {l,n) then C is a constant-dimension code of dimension n [23, 24 1. For subspace 
codes, the problem is formulated as transmission of subspaces through a linear network. 
Suppose the network has minimum cut n. Then the transmitter selects a vector space V e C 
from some constant dimension code C c Q q {l, n), and sends a basis of V into the network. 
The receiver t gathers packets he received, and spans them to form a vector space U. Then 
he regards the subspace U as his received message. It is easy to see that if all channels in 
the network are error-free, then the node t can decode the original message V, i.e., U = V if 
and only if the global encoding kernel at the node t is of full rank n (also see 11231 Corollary 
3]). 
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Because the secret key sharing process in our authentication scheme is similar as that 
in the linear secret sharing scheme, we recall some basic concepts of linear codes and the 
traditional linear secret sharing scheme. Let FY be the V-dimensional vector space over 
the finite field F 9 with q elements. For any vector j? = (x\,Xz, • • ■ , xy) e Fij, the Hamming 
weight Wt(x) of x is defined to be the number of non-zero coordinates, i.e., 

Wt(f) = #{z|l <i<V, Xi + 0) . 

A linear [V, k] code C is a ^-dimensional linear subspace of F^. The minimum distance 
d(C) of C is the minimum Hamming weight of all non-zero vectors in C, i.e., 

d(C) = min{Wt(c)|ceC\{0}} . 

A linear [V, k] code C c F^ is called a [V, fc, d] linear code if C has minimum distance d. A 
vector in C is called a codeword of C. A matrix G e F* xl/ is call a generator matrix of C 
if rows of G form a basis for C. A well known trade-off between the parameters of a linear 
[V, k, d] code is the Singleton bound which states that 

d<V-k+l . 

A [V, k, d] code is called a maximum distance separable (MDS) code ifd-V-k+l. The 
dual code C 1 - of C is defined as the set 

[x eFY|f-c = OforallcEC}, 

where x ■ c is the inner product of vectors x and c, i.e., 

X ■ C — X\C\ + X2C2 + • • • + XyCy . 

The secret sharing scheme provides security of a secret key by "splitting" it to several 
parts which are kept by different persons. In this way, it might need many persons to 
recover the original key. It can achieve to resist the attack of malicious groups of persons. 
Shamir [2| used polynomials over finite fields to give an (S,T) threshold secret sharing 
scheme such that any T persons of the S shares can uniquely determine the secret key 
but any T — 1 persons can not get any information of the key. A linear secret sharing 
scheme based on a linear code |4| is constructed as follows: encrypt the secret to be the 
first coordinate of a codeword and distribute the rest of the codeword (except the first secret 
coordinate) to the group of shares. McEliece and Sarwate [3 1 pointed out that the Shamir's 
construction is essentially a linear secret sharing scheme based on Reed-Solomon codes. 
Also as a natural generalization of Shamir' construction, Chen and Cramer [6 1 constructed 
a linear secret sharing scheme based on algebraic geometric codes. 

The qualified subset of a linear secret sharing scheme is a subset of shares such that 
the shares in the subset can recover the secret key. A qualified subset is call minimal if 
any share is removed from the qualified subset, the rests cannot recover the secret key. 
The access structure of a linear secret sharing scheme consists of all the minimal qualified 
subsets. A codeword v in a linear code C is said to be minimal if v is a non-zero codeword 
whose leftmost nonzero component is a 1 and no other codeword i? whose leftmost nonzero 
component is 1 has support strictly contained in the support of v. Massey J4l|5] showed that 
the access structure of a linear secret sharing scheme based on a linear code are completely 
determined by the minimal codewords in the dual code whose first component is 1 . 

Proposition 1 ([4]). The access structure of the linear secret-sharing scheme correspond- 
ing to the linear code C is specified by those minimal codewords in the dual code C ± whose 
first component is 1. In the manner that the set of shares specified by a minimal codeword 
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whose first component is 1 in the dual code is the set of shares corresponding to those 
locations after the first in the support of this minimal codeword. 

With the above preparation, we next present our construction and main results. 

1 .2. Our Construction and Main Results. Suppose the base field of the network is the 
finite field F 9 and we use subspace codes to transmit messages. Take the message space to 
be the Grassmannian manifold Q q (f n). The source wants to send a message U e Q q {l, n), 
he could send any basis s*\ , s*2, ■ ■ ■ , s„ for U. After network coding, any node in the network 
linearly combines the vectors he received to obtain a linear subspace of F' . Provided that no 
error occurs in the network, then the linear subspace is just the message sent by the source if 
the dimension of the subspace equals n. We authenticate the basis s t ,S2, - ■ ■ , s n . Instead of 
sending the original base directly, the source node actually sends the authenticated vectors. 
And each node in the network receives linear combinations of the tagged vectors. Some 
nodes R\,R2,-- , Rv in the network can also use their own protocols to verify the integrity 
of the received vectors. We call these nodes verifying nodes. 

There may be some malicious receivers in the network who collude to perform an im- 
personation attack by constructing a fake message, or a substitution attack by altering the 
message content such that the new tagged message can be accepted by some other receiver 
or specific receiver. To substitute the message, the malicious group should generate a vec- 
tor not in the subspace sent by the source such that the vector with a tag can be accepted 
by some other receiver. 

In this subsection, we present our construction of an authentication scheme based on a 
linear code for subspace codes in network coding. It will be shown that the ability of our 
scheme to resist the attack of the malicious receivers is measured by the minimum distance 
of the dual code and minimal codewords respect to specific coordinate in the dual code. 

Construction: 

Let C c be a linear code with minimum distance d(C) > 2. And assume that the 
minimum distance of the dual is d(C^) > 2. Fix a generator matrix G of C 



g\,\ 

§2,1 



§1,2 
§2,2 



gl.V 
82,V 



\ 



G = 



gk.l 



gk,2 



gk,V ) 



Then make G public. 

• Key generation: A trusted authority randomly chooses parameters 



ao,i 



ao,2 



ao,k 
a\,k 



A = 




V 



«M,1 



«M,2 



<JM,k ) 



• Key distribution: 



: The trusted authority computes 



' bo,i V2 

B = AG - 



bo,v 
b\,v 



V bu,\ biw,2 



bnt.v , 
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Then the trusted authority distributes each verifier /?, the i-th column of B as the 
private key, for i = 1, 2, • • ■ , V. 

Authentication tag: Assume that the source node sends a basis s\ , s 2 , ■ ■ ■ ,s n e U 
of a n-dimensional subspace U ofF' q . The trusted authority chooses an F ? -linear 
isomorphism between F' and ¥ q i. Without any confusion, we identify F' with 
¥ q i via this isomorphism (this isomorphism is also made public). Then define 
multiplication in F^ via the multiplication in ¥ q i. The source computes the tag 
map 



L=[L U L 2 



,L k ] 



4 



[L 1 (AL 2 (A 
, k) is defined b}Q 

M 



r,kl 

q 



,L k (s)] 



where the map L, (i = 1,2, • • 

, n, instead of s,, the source node actually sends packets x, of 
xi = [l,s h L(si)] e 



aoj + ^ ajjs"' ' for any s e F 

7=1 



For each i = 1,2 
the form 



al+l+kl 
1 9 



Remark 1. Add "1 " of ffte beginning of each tagged vectors, then this scheme can be used 
to random network coding for keeping the track of the network coding coefficients. In this 
way, the internal verifying nodes could not know the exact global encoding kernel, but also 
can do verification of the received vectors. We will see this in the verification step. For 
network coding with fixed local encoding kernel, we can delete the first bit 1, and define 
the tag map L, to be linear with respect to vector s, YJf=o a j,i^' • 

Verification: 

Suppose the global encoding kernel at the verifying node /?, is 

•■ hf 

• • hf 

2,n 



ft®, , 

e(i),n / 



X2 





( h (i) 


ft® 
"l,2 




h (l) 

"2,1 


ft (0 
"2,2 




ft® 
V e(i),\ 


ft® 

em 



Then the node receives the tagged vector 

y(Rd = ^ 



The m-th row is given by 

Z C Z Z O**^ ■ - • Z 0*#> 



V7=l 



7=1 



7=1 



^Note that any F^-linear endomorphism / of F ? / is of the form f(5t) = 2jj=i ' (for any .?£ F ? ; ) for some 
E F 9 , ( = 1, 2, ■ ■ ■ , /. To fit the linear operation of the network coding, the tag map should be F g -linear or "near" 
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The verifier /?, checks that whether 

( » 



Yh & . 

Z-i m <J 



b ,i + 2 
(=1 



hi 



equals to 



(=i \j=\ 



h®)b ,i + ? r 'hi e F ?' the /fl ^e/ of Ri for s e F 9 



for all m = 1, 2, • • • , e(i). 
We call the result 

Correctness of Verification: if the network has not been invaded, the node R, should have 



ZtifeiA®/.(^))«« 



- (Z3L, + £-1 fei *£^r • 

for all — 1 , 2, • • ■ , e(0- 

We summarize the extra costs in general when we communicate messages with the 
authentication tag: 



Tag size 


kl + 1 /¥ q 


Communication cost 


kl+\l¥ q 


Tag computation cost 


(M - l)£nexp. /Ty 
Mkn multi. /F q i 


Verification computation cost at Rj 


(M - l)e(i) exp. /¥ q , 
(M + k+ l)e(i) multi. /F f/ 


Storage at the source 


(M+l)k/F q , 


Storage at each verifier 


M + 1 /¥ q . 


Key distribution computation cost 


(M + l)kV multi. /¥ q , 



Where 1/F 9 , lexp./F 9 and lmulti./F 9 mean one symbol, one exponent operation and 
one multiplication operation in the finite field F ? , respectively. When we use special gener- 
ator matrix, e.g., the generator matrix of a systematic code, the cost at the verifying nodes 
will be less. Note that the disadvantage is that the tag part introduces much redundancy 
comparing with the length of original vector. 

The Main Results about the Security of Our Scheme: 

The security of the above authentication scheme is summarized in the following theorems. 

Theorem 2. The scheme we constructed above is an unconditionally secure authentication 
code for network coding against a coalition of up to (d(C ± ) — 2) malicious receivers. 

The proof of this theorem will be given in Section 2. 

More specifically, if we consider what a coalition of malicious receivers can success- 
fully make a substitution attack to one fixed receiver Rj. To characterize this malicious 
group, we slightly modify the definition of minimal codeword in [4J. 

Definition 1. Let C be a [N, k] linear code. For any i € {1, 2, • • • , A^}, a codeword c in C is 
called minimal respect to i if the codeword c has component 1 at the i-th location and there 
is no other codeword whose i-th component is 1 with support strictly contained in that of 
c. 
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Similarly as Proposition!]] we have 

Theorem 3. For the authentication scheme we constructed, we have 

(i) : The set of all minimal malicious groups that can successfully make a substitution 
attach to the receiver Rj is determined completely by all the minimal codewords 
respect to i in the dual code C ± . 

(ii) : All malicious groups that can not produce a fake authenticated message which 
can be accepted by the receiver Rj are one-to-one corresponding to subsets of 
[V] \ {i} such that each of them together with i does not contain any support of 
minimal codeword respect to i in the dual code C ± , where [V] — {1, 2, ■ ■ • , V}. 

If we take MDS codes, e.g., Reed-Solomon codes, in our construction, Theorems [2] 
and[3]induces the following corollary. 

Corollary 4. Let C be a [V, k, d] MDS code. For our authentication scheme based on C, 
we have 

(i) : The scheme is an unconditionally secure authentication code for network coding 
against a coalition of up to (k — I) malicious receivers. 

(ii) : Moreover, a malicious group can successfully make a substitution attack to any 
other receiver if and only if the malicious group has at least k members. 

If an authentication scheme satisfies conditions (i) and (ii) in Corollary |4] then we call 
the authentication scheme a (V, k) threshold authentication scheme. In general, it is NP- 
hard to determine completely that a malicious group can successfully make a substitution 
attack to others or not. More authentication schemes based on algebraic geometry codes 
from elliptic curves will be given in Section 3. And we use the group of rational points on 
the elliptic curve to give a complete classification as Corollary|4] 

In Section 2, we explicitly give the security analysis of our authentication scheme, i.e., 
the proofs of Theorems [2] and [3] In Section 3, we give an explicit authentication scheme 
based on algebraic geometry codes from elliptic curves. 

2. Security Analysis 

In this section, we present the security analysis of our scheme. From the verification 
step, we notice that the tagged vector [a, s,v\,V2, - ■ ■ , A] of one incoming edge can be ac- 
cepted by the receiver where a e F 9 is the corresponding track of the network coding 
coefficients, if and only if aboj + YifL\ ^ bt.i - Z)=i ^j8j,i- So in order to make a substi- 
tution attack to it suffices to know the label aboj + YJ!L\ ^ '^M f° r some seFj not in 
the subspace sent by the transmitter, then it is trivial to construct a tag (v 1; v^, ■ ■ ■ , v*) such 

Hiatal + Yltx ^hi = Z;=i vjgjj. 

The security depends on the hardness to determine the key matrix A or to determine the 
private key of some other node by solving a system of linear equations. Suppose a group 
of K malicious nodes collaborate to recover A and make a substitution attack. Without loss 
of generality, we assume that the malicious nodes are R\,R2, ■ • ■ ,Rk- Each R, has some 



"Here, we CLARIFY that in the whole paper, "can (successfully) make a substitution attack" means that they 
can make a substitution attack deterministically, and "can not" means that they can not successfully produce a 
fake authenticated message which can be accepted by others in a probability higher than randomly choosing one. 
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information about the key A: 

( yn h (0 yn , (0 -> yn -9 
yn ill) yn , (0 -». yn . (0 -9 



y« 1.(0 yn rUj =>. yn .W =« 
^ 2^=1 "e(0,7 ^j=l n e(J),jJ ^j=l n e(i),fj 



(0 



',(0 



(0 



yn /,(0=9 M -' 
^7=1 W 2,7 S 7 

^7=1 "e(0,7 A 7 

r j=l hfjL k (sj) ) 



and 



' 5u ^ 

52,i 



boj ^ 
Hi 



The group of malicious nodes combines their equations, and they get a system of linear 
equations 



(2.1) 



where 











■A = 




, D K , 




, Ck , 



5l,l 51,2 
52,1 52,2 



82,K 



\ gk,l gk,2 ■ • ■ gk,K 



t>0,l ^0,2 
i>M,\ bM,2 



bo,K \ 
b\, K 



b 



Di = 



' r M hZ r j=l hf/j r^hf^ 



yn 1.(0 yn -». yn ,W 

2,7=1 n e(i),j hj=l n e(i),j S J 2,7=1 V),/7 



(0 



r„(0 p«? 



and 



C,- = 



M,7T / 

yn fXOjf 
yn h (i)M M 

yn yXi) =?'" - 
2,7=1 n e(i),j S j ) 

(0 



1,(0 



n 1,(0 



(,(0 



(0 



Denote 



5« = 



1 i! 

1 & s* 



15 1 



-*7 HQ 
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Then 

D i = H i S n . 

Lemma 5. Let P be the subspace of¥ k , generated by {g,-, , g; 2 , • • ■ , gi K }, where gi. represents 
the ij-th column of the generator matrix G. Suppose Kq — dimP < k— 1. Then there exists 
exact q^^-^Xk-Ko) matrices A satisfying the system of equations ( 12. 1 1 ), where 



ro = rank 



H h S n \ 
Hi 2 S„ 

\ Hj K S n 



Proof. Without loss of generality, we assume {ii,i2, •" ,ifc} = f 1, 2, • ■ ■ , K}. Recall the 
system ( 12.11 ) 



' HiS n ' 




' c, ^ 




■A = 




, HkS„ , 







£l,l £1,2 
£2,1 £2,2 

V £fc,i £it,2 



g2,K 



gk,K ) 



bo,i ^0,2 
bl,l b h2 



\ Om,\ 



7M,2 



bo, K ^ 



'M,K ) 



Rewrite the matrix A of variables as a single column of k(M +1) variables. Then the 
system ( 12.11 ) becomes 



(2.2) 



H\S„ 



Hi S , 



HkS „ 



HkS„ 



£l,l^M+l £2,1^M+1 
gl,2^M+l £2,2^M+1 

, £l,if^M+l gi.K^M+i 



HkS n 

gk,UM+l 
gk^M+X 



gk,Kl 





' ao,i ' 




ay 








fl(),2 




fll,2 




«M,2 




ao,k 




d\,k 


) 


k 0-M,k / 



= T 



where Im+i is the identity matrix with rank (M +1) and T is the column vector of the 
constant terms in system ( 12. U with proper order. Notice that 





' HiS H ' 






' Hi ' 


•< 






' Hi \ 




ro = rank 


H2S,, 


= rank 




H 2 


■ s n 


< min • 


rank 


H 2 


, n 




< HkS,, , 






k H K , 








k H K , 
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Also note that rows of 

H\S„ 
H 2 S„ 

HkS h , 

is contained in the space F^ +I generated by gijliw+i if gij + 0. So the rank of the big 
matrix of coefficients equals to 

r Q k + (M + 1 - r )K 
which is less than the number of variables k(M + 1). So the system ( 12.2b has 

/(t(Af+l)-(r fc+(Af+l-ro)Ko» _ J(M+l-r B )(k-K ) 
q — q 

solutions, i.e., the system ( 12.lt has qKM+i-roXk-Ko) solutions. □ 

Remark 2. From Lemma [5] in order to cut down the extra costs introduced by authenti- 
cation, we could choose M = n. In this case, M is the minimal integer such that M > n 
and Lemma\5\holds. Lemma\5\is the key lemma in M25II by which we can remove a very 
important condition in the main result of \2\\. 

Note that if C [n, k, d = n — k+ 1] is an MDS code, then whenever K < k — 1 the vectors 
in any ^-subset of columns of G are linearly independent. 

By Lemma[5] the security of our authentication scheme follows. 

Theorem 6. The scheme we constructed above with M — n is an unconditionally secure 
authentication code for network coding against a coalition of up to (d(C ± ) — 2) malicious 
verifiers. 

Proof. Suppose the source node sends M — n F 9 -linearly independent vectors S2, ■ • • , s*m, 
i.e., a basis for a subspace message. It is enough to consider the case that K = diC 1 -) - 2 
malicious nodes have received M F 9 -linearly independent vectors y\,p2, - ■ ■ ,$m an d a H 
these malicious nodes are verifying nodes, this is because in this case they know the most 
information about the key matrix A. In other words, the subspace generated by the vec- 
tors they received is the subspace sent by the source node. This is also equivalent to the 
condition: the coalition of global kernels at each malicious node R\ , ■ ■ ■ ,Rk has the rank 



rank 



Hi 

H 2 

H K 



And under these conditions, they want to make a substitution attack to any other verifying 
node. 

Suppose the malicious nodes R\, ■ ■ ■ ,Rk want to generate a valid M-dimensional sub- 
space ¥ q s\ © V q s* 2 ffi ■ ■ • © Fo<Sm sucn tnat it can b e a ccepted by Rk+\- It is equivalent to 
generating a valid vector [1, sm+\, v\, v 2 , ■ ■ ■ , v4] with sm+i £ F fy si © V q S2 © • ■ ■ © F 9 sm 
such that it can be accepted by Rk+i- So what they try to do is to guess the label £>o,a:+i + 

„ -a** -1 -,->-, 1 

b\, K +\SM+\ +b 2 ,K+\s' M+l +---+b M ,K+\s i M+l for some s M+ \ £¥ q s x ®¥ q s 2 ® ■ ■ ■ ®¥ q s M and 
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construct a vectoiQ (vi, V2, • • • , v*) e F*f 1 such that 

y^giVK+l^i = + &1.X+A+1 + ^2,X+l^f +1 + • • • + b M ,K+\S 



M+l 



Then the fake message [1, sm+\,v\,V2, ■•■ can be accepted by Rk+i- 

In this case, by Lemma [5] there exists q l( ^ d(c ) +2 > matrices A satisfying the system of 

equations ( 12. U . 

For any sm+i £ F ? ,S*i ffi F 9 J2 ffi • • ■ ffi F 9 .?m , we define 



: {Solutions of System (12. 1M 



>-» (i.j^+i.4f + i'—'4f+i) A 



f ^i,x+i ' 

<?2,/C+l 
^ gk,K+\ ) 



Then we claim: 

(1) : <pfa +1 is surjective. 

(2) : for any y e F g , the number of the inverse image of y is , 00 = q l( - k ~ d( - c 

So the information held by the colluders allows them to calculate equally likely different 
labels for sm+\ and hence their probability of success is l/q 1 which is equal to guess a label 

O0,tf+i + »ur+i sm+i + h.K+1 s H M+1 + ■■■ + b MiK+ i for s M + 1 randomly from F q i . And hence 
we finish the proof of the theorem. 

Next, we prove our claim. As K + 1 = d(C^) - 1, g\,gi, • ■ • ,gK+i is linearly inde- 
pendent over Fj, otherwise the dual code C 1 - will have a codeword with Hamming weight 
< diC 1 -) - 1 which is impossible by the definition of minimum distance of a code. Then 
choose k — K — 1 = k - d(C^) + 1 extra columns of G such that they combining with 
gi,g2, ■ ■ ■ ,gK+\ form a basis of F*,. Without loss of generality, we assume the first k 

q 

columns of G is linearly independent of F q i. For any P e p^" 1 " 1 )*^ - ( c > +1 > ! consider the 
system of linear equations 



(2.3) 



HkS m ! 



A = 



A ■ 



gi.i 

£2,1 



#1,2 
£2,2 



I gk.l gk,2 
gl,K+2 gl,K+3 
g2,K+2 g2,K+3 

I gk,K+2 gk,K+3 



g\,K 
g2,K 

gk,K 
gl,k 
g2,k 

gk,k J 



C, 



Ck , 

bo,i 
bi,i 



bo,2 
bi,2 



>M,2 



b(),K 

b\, K 



This construction step is trivial. 
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By Lemma |5j System ( 12.3b has q 1 solutions, saying A\,A%, ■ ■ ■ ,A„i. And Ai,A2, • • • ,A q i 
are also solutions of System (12. U . Next, we show 

[pi ml {Aj)\j=\,2,--- ,q l } = ¥ q ,. 

Otherwise, there are two solutions Aj l and Aj 2 such that 



(l,SM+l,^+l'"' >^M+Y> A h 



( gl,K+\ ^ 
g2,K+\ 

I gk,K+l ) 



- (l, sW+i, 4f +1 , ■ • ■ , 



Then we have 



( 1 



Si 

1 S2 



a 2 



I 1 4f+l ■? 

r i si 

1 S 2 



M+l 

S? 
1 

J* 



V 1 SW+1 s 
But the Moore matrix 



M+l 



f 1 
1 



si 

S2 



M-l 

5 2 



M-l 

*2 



4 



A j7 



1 S*M+1 S? 



M+l 



51,1 51,2 

52,1 52,2 

V gk,l gk,2 

51,1 51,2 

52,1 52,2 

V gk,l gk,2 



-if 



Jf-1 
*M+1 ' 



g2,K+l 



\ gk,K+l ) 



gl,k 
gl,k 

gk,k ) 

gl,k 
g2,k 

gk,k J 



is invertible since Si, s*2, ■ ■ ■ , s*m+i 6 Fj are linearly independent over F ? . And the matrix 



( 5i,i 5i,2 

52,1 52,2 



5U 

52,/t 



V gk,l gk,2 • • ' gk,k ) 

is invertible by our assumption. So Aj x = Aj 2 which contradicts to the condition A 7] ^ Aj r 
And hence, the statement (1) holds. 

Next, we prove (2). Any one solution of System ( 12. It gives one P E pC^" 1 " 1 ^ _d ( c 

while corresponding to such a P there are q 1 solutions of System ( 12. Il l from the proof of 
(1). In this way, we partition solutions of System ( 12. Il l into q^ k ^ c parts such that each 
part contains q 1 elements. Also from the proof of (1), the image of each part under <p? M+1 is 
Fj. So for any y e F„/, the number of the inverse image of y is #u>z l (y) = q l ^- d< - c± ^ +1 \ So 
far, we have finished the proof of our claim. 

□ 

Remark 3. From the proofs of Lemma\5\and Theorem® the coalition of malicious nodes 
B can successfully make a substitution attack to the node Rj if and only if gj is contained 
in the subspace of¥ k , generated by {gj \ j 6 B], where gj represents the j-th column of the 
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generator matrix G. In this case, they can recover the private key of Ri using the linear- 
ity relationship. So we connect our authentication scheme with the linear secret sharing 
scheme in the way that we regard the private key ofRi as the secret key and the private keys 
of other verifying nodes are shares of the private key ofRj. Then similarly as the linear se- 
cret sharing scheme [4, 5 1 which considered the first component of codewords as the secret 
key location, using the modified definition of the minimal codewords of a linear code given 
in the introducion, we can characterize the malicious groups that can successfully make a 
substitution attack to some other node completely. This is what Theorem\3\and Corollary^ 
say about. 

3. The Authentication Scheme Based on Algebraic Geometry Codes 

In this section, we give examples of our authentication schemes based on some explicit 
linear codes, AG codes from elliptic curves. First, recall the definition of AG codes. 
We fix some notation valid for this entire section. 

• X/Fq is a geometrically irreducible smooth projective curve of genus g over the 
finite field F q with function field F ? (X). 

• X(F 9 ) is the set of all ¥ q -rational points on X. 

• D = {Ri , R2, • • ■ ,R n } is a proper subset of rational points X{¥ q ). 

• Without any confusion, also write D — R\ + R2 + ■ ■ • + R n . 

• G is a divisor of degree k (2g — 2 < k < n) with Supp(G) D D — 0. 

Let V be a divisor on X. Denote by Jz? (V) the F 9 -vector space of all rational functions 
/ € F q (X) with the principal divisor div(/) > — V, together with the zero function. And 
Denote by Q(V) the F 9 -vector space of all Weil differentials a> with divisor div(w) > V, 
together with the zero differential (cf. [26 1). 

Then the residue AG code Cn(D, G) is defined to be the image of the following residue 
map: 

res : Q,(G — £))—» ¥" q ; a> h-> (resR^af), resR 2 (u>), ■ ■ ■ , res^fuS)) . 
And its dual code, the functional AG code C^(D,G) is defined to be the image of the 
following evaluation map: 

ev : jSf(G) -» F^; / h» <J(R{), f(R 2 ), ■ • ■ ,/(«„)) . 

They have the code parameters [n,n-k+g-l,d > k-2g+2] and [n,k-g+l,d > n— k], 
respectively. And we have the following isomorphism 

Cn(D,G) = Cj?(D,D-G + (77)) 

for some Weil differential r\ satisfying vp^rj) = -1 and T]p,(l) = 1 for all i = 0, 1, 2, • ■ • , n 
( Il26l Proposition 2.2.10]). 

For the authentication scheme based on the simplest AG codes, i.e., generalized Reed- 
Solomon codes, we have determined all the malicious groups that can make a substitution 
attack to any (not necessarily all) other in Corollary 2] Next, we consider the authentica- 
tion scheme based on AG codes Cn{D, G) from elliptic curves. Using the Riemann-Roch 
theorem, the malicious groups who together are able to make a substitution attack to any 
(not necessarily all) other or not can be characterized completely as follows. 

Theorem 7. Let X — E be an elliptic curve over ¥ q , D — {R\ , R2, • ■ • ,R n ] a subset ofE(F q ) 
such that the zero element O £ D and let G — kO (0 < k < n). Then for the authentication 
scheme we constructed based on the AG code Cq(D, G), we have 

(i): Any coalition of up to (n — k — 2) malicious receivers can not make a substitution 
attack to any other receiver. 
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(ii) : A malicious group A C D, #A — n — k — 1, can successfully make a substitution 
attack to the receiver Rj € D\A if and only if 

Z ■ 

PeD\A 

Moreover, we note that they can only successfully make a substitution attack to the 
receiver ZpeD\A P ifZpeD\A P eD\A. 

(iii) : A malicious group A C D, #A — n — k, can successfully make a substitution 
attack to the receiver Rj e D \ A if and only if there exists some Q 6 E(Fq) \ {Rj} 
such that the sum 

PeD\A 

which is equivalent to 

PeD\A 

And hence, such a malicious group can successfully make a substitution attack to 
any other receiver. 

(iv) : A malicious group with at least (n - k + 1) members can successfully make a 
substitution attack to any other receiver. 

Proof. The statement (i) follows from Theorem|6]as the minimum distance 

d ± (C n (D, G)) = d(C X {D, G))>n-k. 

For the statement (ii), if the malicious group A c D, #A = n - k - 1, can successfully 
make a substitution attack to the receiver Rj e D \ A, then there exists some non-zero 
function in the dual code / e 5£(kO - P + Pj)< Le -' 

div(/) > V R-Rj-kO . 

ReD\A 

Both sides of the above inequality have degree 0, so 

div(/)= YjR-Rj-kO. 

ReD\A 

That is, 

ReD\A 

Similarly for the statement (iii), if a malicious group A c D, #A — n-k, can successfully 
make a substitution attack to the receiver Rj e D\A, there exists some non-zero function 

/ 6 Jgf (tO - Z R eD\A R + Rj) \ -¥(kO - Z R eD\A «). ^ 

f(Rj) + and div(/) > Y R-Rj-kO . 

ReD\A 

Then there is an extra zero Q e E(F q ) \ {R j] of / such that 

div(/)= Yj R-Rj + Q-kO. 

ReD\A 

That is, 

YR + Q = Rj. 



Re A 



The rest of (iii) is obvious. 
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We prove the statement (iv) by contradiction. A malicious group A can not successfully 
make a substitution attack to the receiver Rj if and only if there exists a linear function 

/ € Sf(D -G + (77)) 

such that 

f(Rj) = 1, and f(R) = V/? e A . 
As / E Jz?(D - G + (77)), / has at most deg(D - G + (77)) -n-k zeros. So if 

#A > n - k + 1 , 

the malicious group A can successfully make a substitution attack to any other receiver. 

□ 

Finally, we give a remark on the above theorem to finish this section. 
Remark 4. If for any A C D with #A — n — k, the inequality 

PEDV4 

holds, then the minimum distance [27, 28 1 of the AG code Cq(D,G) is 

d(C a (D,G)) = Jt+ 1 . 

/« f/j/s case, Cn(D, G) is MDS. So by the property ofMDS codes, its dual code C^(D, G) 
is also MDS, i.e., 

d(Cs?(D,G)) = n ~k+ 1 . 
A/so /« f/zis case, swc/z a malicious group in Theorem&ii) does not exist. So it coincides 
with Corollary^ 

On the other side, if Cn(D, G) is not MDS, then there exists A C D with #A — n — k such 
that 

PeD\A 

Such a malicious group A can not successfully make a substitution attack to any other 
receiver. 

4. Conclusion 

In this paper, we construct an authentication scheme based on linear code C [V, k, d] for 
subspace codes over network coding. It is an unconditional secure authentication scheme, 
which can offer robustness against a coalition of up to {d(C^) - 2) malicious receivers. 
If we take C to be Reed-Solomon codes, then our authentication scheme can be regarded 
as a modification of the multi-receiver authentication scheme for multiple messages given 
by Safavi-Naini and Wang (TJ. The authentication scheme based on the Reed-Solomon 
code [V, k, d] is a (V, k) threshold authentication scheme, any k - 1 of the V receivers can 
not produce a fake message, with a higher probability than randomly guessing a label 
for the message, that can be accepted by any other receiver, but any k of the V verifying 
receivers can easily produce a fake message that can be accepted by any other receiver. To 
generalize the scheme with Reed-Solomon codes to that with arbitrary linear codes, there 
are several advantages similar as the advantages of generalizing Shamir's secret sharing 
scheme to linear secret sharing sceme |]2] [3] 3] E] El . First, for a fixed message space 
Q q (l, «), by choosing proper linear codes, our scheme allows arbitrarily many receivers to 
check the integrity of their own messages, while the scheme with Reed-Solomon codes 
has a constraint on the number of verifying receivers V < q'. Secondly, for some important 
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receiver, coalitions of k or more malicious receivers can not yet make a substitution attack 
on the receiver more efficiently than randomly guessing a label from the finite field for a 
fake message. 
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